fix: Read newer attestation file format (#564)

* Read newer attestation file format

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Update error message

Signed-off-by: Ian Lewis <ianlewis@google.com>

* revert change

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Update test data

Signed-off-by: Ian Lewis <ianlewis@google.com>

---------

Signed-off-by: Ian Lewis <ianlewis@google.com>

cli/slsa-verifier/verify/verify_npm_package.go

@@ -54,7 +54,7 @@ func (c *VerifyNpmPackageCommand) Exec(ctx context.Context, tarballs []string) (
 		}
 
 		if c.AttestationsPath == "" {
-			fmt.Fprintf(os.Stderr, "Verifying npm package %s: FAILED: %v\n\n", tarball, err)
+			fmt.Fprintf(os.Stderr, "--attestations-path is required.\n\n")
 			return nil, err
 		}
 		provenanceOpts := &options.ProvenanceOpts{

verifiers/internal/gha/npm.go

@@ -44,6 +44,10 @@ NOTE: key available at https://registry.npmjs.org/-/npm/v1/keys
 */
 var npmRegistryPublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="
 
+type attestationSet struct {
+	Attestations []attestation `json:"attestations"`
+}
+
 type attestation struct {
 	PredicateType string      `json:"predicateType"`
 	BundleBytes   BundleBytes `json:"bundle"`
@@ -74,12 +78,12 @@ func (n *Npm) ProvenanceLeafCertificate() *x509.Certificate {
 }
 
 func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*Npm, error) {
-	var attestations []attestation
-	if err := json.Unmarshal(attestationBytes, &attestations); err != nil {
+	var aSet attestationSet
+	if err := json.Unmarshal(attestationBytes, &aSet); err != nil {
 		return nil, fmt.Errorf("%w: json.Unmarshal: %v", errrorInvalidAttestations, err)
 	}
 
-	prov, pub, err := extractAttestations(attestations)
+	prov, pub, err := extractAttestations(aSet.Attestations)
 	if err != nil {
 		return nil, err
 	}